HQ/EMEAFind out how we can help your business
The Casbaneiro banking malware operators have utilised the User Account Control (UAC) bypass technique to acquire full admin privileges on targeted devices. This new exploit proves that threat actors constantly evolve tactics to avoid security detections and run malicious code on infected assets.
Based on reports, these threat actors still prioritise Latin American financial institutions as their targets. However, other sectors should not let their guard down since the capabilities of these actors could infect other organisations.
The Casbaneiro banking malware operators use phishing emails to execute their cybercriminal activities.
The Casbaneiro banking malware operation commonly starts with a phishing email that contains an infected attachment. Once a recipient launches the attachment, it will activate several methods to deploy the banking malware. The attack includes several scripts that leverage LotL tactics to fingerprint the targeted host and harvest system metadata.
The downloading stage of the malware includes a binary called Horabot, which could propagate the infection internally to other unsuspecting staff of the infected organisation.
The new campaign adds legitimacy to the email it disseminates since no anomalies could raise suspicions, which would typically alert email security solutions to prevent or mitigate such threat attempts.
Furthermore, the emails contain the same PDF attachment that infects the previous victim hosts. Hence, the infection chain could be execute for a second time.
The difference between the new attack and the previous one is that the latter starts its campaign through a spear-phishing email attached with a link to an HTML archive that redirects targeted users to a site that downloads a RAR file.
The other significant alteration to the attack process is that the new attack uses a fodhelper[.]exe to acquire a UAC bypass and obtain high integrity level execution.
Researchers also explained that the Casbaneiro adversaries can generate a mock folder on C:\Windows[space]\system32 to duplicate the fodhelper[.]exe executable. However, further research said that the actors employed the specially crafted path during the intrusion stage.
The discovery of this new campaign is the third instance where the threat actors used the mock trusted folder tactic. Experts believe more attackers will follow and adopt such techniques in their cybercriminal activities soon.
